Network News

X My Profile
View More Activity

Deconstructing the Fake FTC E-mail Virus Attack

A targeted e-mail virus disguised as an identity theft inquiry from the Federal Trade Commission appears to have successfully compromised more than 500 PCs, including victims at banks, real estate brokerages, law firms and marketing companies.

Each of the victims received the invitation to open the virus-infected attachment via an e-mail that addressed the recipient by name, and in some cases included the name of the recipient's employer. Security Fix was able to gain access to one of several Internet addresses where data stolen from victims' PCs was uploaded by the virus. The link did not require a user name or password. There are several security outfits working to get the site taken down, but the longer it stays live there is the potential that the sensitive information could be obtained by more criminals.

It's not clear how the attacker selected targets, but one thing is increasingly clear: Malicious e-mail virus and "phishing" attacks that most of us have become accustomed to deleting are beginning to shift from indiscriminate, blast-as-many-spams-as-you-can assaults to sophisticated attacks that use information gleaned from previous data thefts to target individual e-mail users. The end result is that a far higher percentage of recipients actually open the poisoned attachments, and in some cases even forward the message on to a trusted friend, co-worker, or subordinate.

Recipients running Microsoft Windows who clicked on the attachment in the bogus FTC e-mail were warned by Windows that an executable file (a program installer) was about to run, and given the chance to decline the execution. Anyone who ignored that warning witnessed yet another social engineering feat. The invading program then produced a pop-up alert complaining that Microsoft Word had crashed, and that the user could double-click on a provided icon to restart Word. It was in double-clicking on that "OK" tab that victims were setting the final stages for allowing a Trojan horse program to invade their machines and record every single keystroke that they typed from there on out.

The malicious program doesn't just record every finger tap made by the user. In addition, the malware author has coded his software to let him view his victim's Windows desktop in real time. Real time, as in the attacker can take screen shots while the victim surfs the Web, including when someone logs into a bank account or other sites requiring passwords.

The person who masterminded this attack even took screen shots of his own desktop, presumably to test his malware to make sure it functioned properly (note that his Windows desktop is in Russian with Cyrillic characters). A short snippet of commands he typed on his own computer -- along with his own IP address -- also appeared in the cache of stolen data on the Web site where the Trojan horse uploads stolen data.

The individual responsible for this virus lives in the Ukraine and writes his own malicious software, according to Matthew Richard, director of the rapid response team for iDefense, a security firm owned by Verisign.

To illustrate the remote control features of the malware, check out the screenshot below, which the perpetrator took when one of his victims was alerted to the presence of his program by an antivirus program -- score one for antivirus vendor AVG. (Note the Excel file named "Credit Cards August" on the would-be victim's desktop!).

According to VirusTotal.com, an online tool that uses the combined power of more than two-dozen antivirus programs to scan for new malware, this piece of malicious software was so selectively spammed that it remains undetected by the majority of the antivirus products on the market today. In fact, as late as Nov. 1, a confirmed victim's machine passed a full system software scan from an up-to-date version of Symantec's Norton antivirus.

iDefense's Richard said it was remarkable that the AVG software detected the this piece of malware, which was hand-made and only sent to a few thousand victims. "The stuff he's writing is very custom, so there's generally zero detection available for this type of malware for weeks at a time," Richard said. "Antivirus is nearly worthless when it comes to [detecting] custom attacks."

So who were the victims of this attack, which -- despite a fair amount of media attention -- appears to be gaining new victims with each passing hour? Most of the two dozen or so that I spoke with fell into one of four camps -- real estate brokers, marketing companies, law firms and pharmaceutical providers. Several news media sources were among the victims. In fact, I personally alerted a victim at The Washington Post.

The SANS Internet Storm Center earlier this week posted an alert about the fake FTC e-mail that appeared to tie the attack to a database of sales leads allegedly stolen from Salesforce.com. Last week, Security Fix published evidence suggesting that a database compromise at Salesforce.com had led to a similar series of targeted malicious e-mail virus attacks against several industry sectors, including numerous bank customers.

A great many of the victims I contacted were confirmed users of Salesforce.com's database. Still, it's not clear yet how the database breach occurred and Salesforce.com may not have been the negligent party. But one aspect of this attack remains very curious: Out of nearly 500 people who were victimized by this particular Trojan horse program over the past 72 hours, the attacker chose to take screen shots of just a handful of them. Among those he decided to snapshot was a person logging into a user account at Salesforce.com, which you can see in the image to the left.

If there is a moral to this story, it is this: E-mail has become such an untrustworthy medium that even messages addressing you by name should be treated with the utmost suspicion, particularly those that ask you to open an e-mail attachment or click on an included link. If a message comes from someone you don't know, delete it. If it appears to have been sent from a friend or family member, reply to the message and ask for confirmation that the sender indeed meant for you to view that e-mail attachment.

Update, 1:12 p.m. ET, Nov. 6: Care to know just how bad anti-virus detection is for the keystroke logging program used in this attack? Check out the results of a scan at VirusTotal.com viewable here. Only 15 out of 31 different anti-virus programs currently detect it as malicious. That's less than a 50 percent detection rate for a piece of malware that was first spammed out more than two weeks ago.

By Brian Krebs  |  November 5, 2007; 6:00 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Anti-Virus On A Mac?
Next: New QuickTime Version Plugs 7 Security Holes

Comments

"Recipients running Microsoft Windows who clicked on the attachment in the bogus FTC e-mail were warned by Windows that an executable file (a program installer) was about to run, and given the chance to decline the execution."

Woudln't the exact UI here depend on which email client (or webmail provider and browser) you used?

"Anyone who ignored that warning witnessed yet another social engineering feat. The invading program then produced a pop-up alert complaining that Microsoft Word had crashed, and that the user could double-click on a provided icon to restart Word."

What's the point of this part? Why did the attacker find it necessary to perform additional social engineering after getting you to run the executable? Does double-clicking the icon somehow give the attacker's program privileges it didn't have before?

Posted by: Jesse Ruderman | November 5, 2007 6:48 AM | Report abuse

I might revise the following - "If it appears to have been sent from a friend or family member, reply to the message and ask for confirmation that the sender indeed meant for you to view that e-mail attachment" - to suggest that you should not reply, but rather send a new message to a known address for the sender.

Posted by: James | November 5, 2007 8:04 AM | Report abuse

even emails coming from institutions with which i'm involved now get the browser method of responding. that is, i put the institution's email address into the browser to access the institution and ask about the legitimacy of the email. i NEVER click anything in the email itself

Posted by: inge | November 5, 2007 10:18 AM | Report abuse

Very informative article. Thanks.

Posted by: Richard Muller | November 5, 2007 10:39 AM | Report abuse

I hate to beat a dead horse, but once again, these articles really make me love my MAC.

Jeff Carter
www.osxland.com

Posted by: Jeff Carter | November 5, 2007 10:53 AM | Report abuse

to mr. carter....this didn't take advantage of any security flaw. it went after the user. as the recent mac trojan shows, they're starting to go after mac users with social engineering also. the same targeted attack against a mac user would probably be just as successful.

Posted by: anon | November 5, 2007 11:00 AM | Report abuse

We got a copy here - personally addressed to the CEO (who clicked on the attachment, unfortunately - then contacted us).

Good news: We wiped the machine that afternoon, just to be sure. Symantec didn't pick up anything...

Posted by: Network Admin | November 5, 2007 11:56 AM | Report abuse

Thanks for the article - it's good to know this thing is in the wild. However, am I the only one who's uncomfortable with pictures of some innocent victim's kids being posted on a public blog?? I'm assuming, and maybe I shouldn't, that the victim doesn't know that his desktop is being reproduced online. I can't deny that it does drive home the point of how important is to protect oneself...

Posted by: tjohn | November 5, 2007 12:22 PM | Report abuse

@Jesse -- I don't know why they chose to make this a multi-staged attack. You're right that it seems unnecessarily complicated. Verisign's analyst said it looked like this guy was sort of an amateur coder, so who knows. probably his next attack will be a bit more streamlined (this is his second targeted attack that spoofed the FTC).

Posted by: Bk | November 5, 2007 12:26 PM | Report abuse

With regard to this attack, I would like to hear a knowledgeable person's perspective on the relative security of web-based email vs. desktop-based email. It seems to me that if I read the email and opened the attachment while on the web using Google Docs, for instance, that my PC would have remained uninfected. Is this a valid argument in favor of web-based email clients?

Posted by: Doug J | November 5, 2007 12:35 PM | Report abuse

@DougJ -- Not sure using Gmail or Google Docs would make much of a difference. If you download and run the attachment, it's pretty much game over.

As a side note, most of the victims of this attack were not the usual consumers, but executives. Hence, the majority of the victims I saw had infections on their work computers, mainly because the e-mails were sent to their work addresses (not hotmail, gmail, etc.)

Posted by: Bk | November 5, 2007 12:44 PM | Report abuse

Writing that much code for such a small targeted attack seems a poor return on
effort. The strategy of most online gangsters seems to entail casting a wide net. What do security experts and strategists think the significance of this attack is?

Posted by: Fred A | November 5, 2007 12:51 PM | Report abuse

@Fred -- I think you'd be surprised at the number of hoops some criminals are willing to jump through to find new victims. The significance of this case, from my discussions with others who are tracking the attack - is that targeted attacks are far, far more successful than huge spammed attacks. What's more, huge spammed attacks that include custom made malware are more likely to have a much shorter lifespan. The more people who have the malware on their systems, the more likely it is that a broader class of anti-virus and other security software are going to detect it as malicious going forward.

So it behooves the attacker to -- if he can - limit the distribution to a targeted few. Even if he can bring the rate of infection from say 1/1000 to 1/100 with a targeted attack, that's a huge increase in success rates. Plus, the targeting helps keep the malware hidden for longer periods of time.

Posted by: Bk | November 5, 2007 12:56 PM | Report abuse

This article was linked to over at Calendar of Updates (http://www.dozleng.com/updates/index.php?showtopic=16217), and I am glad it was - this seriously underscores just how *dangerous* email has become.

Kudos to James - you beat me to the punch about the reply versus create new message.

I am sure the topic there will engender a lively discussion about it, especially as we have already had another topic about GMail itself and how Google's practices are anywhere from a bit unnerving to downright full-fledged privacy invasion techniques, and continually have discussions about security news from around the world.

Brian - thanks for your further analysis in your last comment - it makes much more sense now why a specialized, targeted attack would be so much more successful than a wide-scoped attack - and it makes it even more scary if you look at it like this - what if all these machines were, in fact, hijacked and made into zombies, into a small subset of one of the existing bot-nets?

There *seriously* needs to be a much greater emphasis placed upon end-user education - too many people get behind the KB without a clue as to what they are really doing, and the problem is only going to get worse as more and more OSs stress "Ease of use" to draw more customers from the computer illiterate field.

Posted by: John L. Galt | November 5, 2007 5:43 PM | Report abuse

This is a very informitive article.
The way the rappiad groth of ID theft is over taking us, all we can do is cut the risk of being a victom is to at least get protected. I do group benefits for prepaid legal services,Inc. Its your fire exstinguisher for your ID protection and life evens plan.
prepaidlegal.com/go/stephont

Posted by: Stephon Lewis | November 5, 2007 6:23 PM | Report abuse

Bk,

Thanks for the response.

But, to the point of my question, if I do all my email reading and attachment opening on the web, don't download anything, am I less vulnerable? I take it from your response that I am.

Correct?

Is one possible solution to just keep all email and attachments on the web and off the desktop?

Personally, I prefer to run using an email client on the desktop but perhaps this is less secure.

Posted by: Doug J | November 5, 2007 11:30 PM | Report abuse

Bk,

Thanks for the response.

But, to the point of my question, if I do all my email reading and attachment opening on the web, don't download anything, am I less vulnerable? I take it from your response that I am.

Correct?

Is one possible solution to the Malware problem to just keep all email and attachments on the web and off the desktop?

Personally, I prefer to run using an email client on the desktop but perhaps this is much less secure.

I don't recall seeing any articles proposing web-based email service makes you less vulnerable to infections on your PC.

Posted by: Doug J | November 5, 2007 11:35 PM | Report abuse

Fred A: Let's say the virus writer sends out 1 million emails, and gets 1,000 infections out of that attack. Let's say the virus is to extract money in one way or another. Those 1,000 infections, if they get the virus writer $1,000 each, will net $1,000,000. The problem is that the virus is detected rather quickly, as many, many people have the opportunity to see it.

Let's say the virus writer takes a much more low-profile approach, and only sends out a few hundred messages. Let's say the virus infects a highly-placed official in some multi-billion dollar company. The possibility of getting $1,000,000 or more from that one company is greatly increased. Get two or more infections, and your payback REALLY increases.

And as Bk stated, the lower the profile the virus writer can maintain, thus the longer the file flies under the radar, the more potential money can be extracted from compromised accounts. As long as it flies under the radar, the longer it won't be detected by the anti-malware software.

Posted by: Critter | November 6, 2007 2:24 AM | Report abuse

Fred A: Let's say the virus writer sends out 1 million emails, and gets 1,000 infections out of that attack. Let's say the virus is to extract money in one way or another. Those 1,000 infections, if they get the virus writer $1,000 each, will net $1,000,000. The problem is that the virus is detected rather quickly, as many, many people have the opportunity to see it.

Let's say the virus writer takes a much more low-profile approach, and only sends out a few hundred messages. Let's say the virus infects a highly-placed official in some multi-billion dollar company. The possibility of getting $1,000,000 or more from that one company is greatly increased. Get two or more infections, and your payback REALLY increases.

And as Bk stated, the lower the profile the virus writer can maintain, thus the longer the file flies under the radar, the more potential money can be extracted from compromised accounts. As long as it flies under the radar, the longer it won't be detected by the anti-malware software.

Posted by: Critter | November 6, 2007 2:26 AM | Report abuse

Fred A: Let's say the virus writer sends out 1 million emails, and gets 1,000 infections out of that attack. Let's say the virus is to extract money in one way or another. Those 1,000 infections, if they get the virus writer $1,000 each, will net $1,000,000. The problem is that the virus is detected rather quickly, as many, many people have the opportunity to see it.

Let's say the virus writer takes a much more low-profile approach, and only sends out a few hundred messages. Let's say the virus infects a highly-placed official in some multi-billion dollar company. The possibility of getting $1,000,000 or more from that one company is greatly increased. Get two or more infections, and your payback REALLY increases.

And as Bk stated, the lower the profile the virus writer can maintain, thus the longer the file flies under the radar, the more potential money can be extracted from compromised accounts. As long as it flies under the radar, the longer it won't be detected by the anti-malware software.

Posted by: Critter | November 6, 2007 2:28 AM | Report abuse

tjohn, why do you think an anonymous photo of some child is a problem?

Are perverts having so much trouble finding children that the confirmed presence of this one is going to drive them wild?

Even one they can't find?

Let's try to be serious, shall we?

Posted by: Sun Tsu | November 6, 2007 8:58 PM | Report abuse

I would like to appreciate Washington post to publish this article. This makes us to think on MS products reliability and security.

Can any one suggest me if Addware or any malware detection programs scans this trojan and also i would like to know if mozilla and openoffice combination survive from this attack on windows xp.

Posted by: Srikanth | November 7, 2007 2:41 AM | Report abuse

Fred, the goal of most of these hackers is not to use the data themselves, but to make money selling the information they get to the highest bidder. There are people who spend their time doing nothing but finding security flaws in programs and operating systems and then auctioning that knowledge off to the highest bidder. If I'm able to hack a DB with this kind of info in it, and then get 500 positives, I'm not going to go to the trouble of writing MORE code to exploit those idiot who bought my scam, I'm going to sell that info to the people who already have the network in place to exploit it.

Posted by: JP | November 7, 2007 9:25 AM | Report abuse

Doug J, you are still fully vulnerable with a web email client. In order to view or open an attachment with a web email client, the attachment is downloaded to your local machine to be opened, it does not stay in the web. Whatever you view on your local machine is downloaded to you from the web. If any thing stays on the web, you wouldn't see it on your local machine at all. Even this web page now exists on your local machine as a temporary internet file. So web email client does not protect you any better than desktop clients. The only difference is that hotmail or gmail generally have better anti-virus protection and remove most malicious attachment before you get a chance to open it. But as the article states, the virus are getting smarter to avoid anti-virus detections. So still be cautious about opening any attachment, even through web email clients.

Posted by: George T | November 7, 2007 12:54 PM | Report abuse

The biggest problem I see with web mail is any active content may be executed within the browser, since that is what browsers generally do, whereas, an e-mail client such as Outlook XP/2003 or newer allows the option to read ALL incoming mail as plain text (no active content) and with a default setting of not displaying or blocking any active content unless further action is done by the user. And therein lies the rub. Ultimately, it is up to the end user to exercise proper judgment with open attachments or clicking links.

Final point, plain text e-mail should be the standard with HTML the exception.

Posted by: TJ | November 7, 2007 3:30 PM | Report abuse

What type of user privileges were they using to allow installer executables?

Posted by: Carlos | November 8, 2007 1:15 AM | Report abuse

I'm a regular read of Security Fix and appreciate the information you provide, but I think it is VERY inappropriate for you to be using that screenshot of the compromised computer showing the kid's face. That personal and presumably private image was illicitly obtained, and just because you were able to get your hands on it doesn't mean you should be disseminating it for public consumption.

You should have obscured the kid's face before putting the image online.

Posted by: t_joe | November 9, 2007 7:37 AM | Report abuse

Our email system blocks ALL emails with executable attachments regardless of whether a virus scanner finds anything. This story shows why.

Posted by: Chris | December 11, 2007 7:54 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company